Commit Graph

37 Commits

Author SHA1 Message Date
Rob Crittenden
9d1ee64434 ipa-advise: Define the domain used when looking up ipa-ca
The error message if ipa-ca can't be resolved included the
undefined variable ${domain_name}. Since this is static anyway
change to a python format string and hardcode the string in
the resulting script as api.env.domain.

Discovered while working on https://pagure.io/freeipa/issue/8934

Related: https://pagure.io/freeipa/issue/8934

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-08-03 11:05:15 -04:00
Rob Crittenden
e13bd7ed0e ipa-advise: if p11-kit provides opensc, don't add to NSS db
p11-kit-proxy in newer distributions handles loading the OpenSC
PKCS#11 library so don't try to add it to the NSS database in
/etc/pki/nssdb if it is already available in order to avoid a
potentially confusing error message.

https://pagure.io/freeipa/issue/8934

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-08-03 11:05:15 -04:00
Rob Crittenden
6518a600b4 Change FreeIPA references to IPA and Identity Management
In order to simplify the build process between upstream FreeIPA
and downstream builds (such as CentOS Stream) we are changing
some file references from FreeIPA to IPA (and Identity Management).

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-21 13:51:45 +01:00
Florence Blanc-Renaud
edcfba6010 ipa-advise: fallback to /usr/libexec/platform-python if python3 not found
when ipa-advise generates a script to configure a client for smart card
auth, the script calls python3 to configure SSSD. The issue happens
if the server (when ipa-advise is run) and the client do not have
the same path for python3 command.

By default, try to use python3 but if the command is not found, fallback
to /usr/libexec/platform-python (which is the python3 path on RHEL8).

Fixes: https://pagure.io/freeipa/issue/8311
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-05-05 11:50:01 +02:00
Florence Blanc-Renaud
87c24ebd34 smartcard: make the ipa-advise script compatible with authselect/authconfig
"ipa-advise config-client-for-smart-card-auth" is run on a server and
creates a script that needs to be copied and executed on a client.
The client may be of a different version and use authconfig instead of
authselect. The generated script must be able to handle both cases
(client using authselect or client using authconfig).

The patch checks whether authselect is available and calls the proper
configuration command (authselect or authconfig) depending on its
availability on the client.

Fixes: https://pagure.io/freeipa/issue/8113
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-08 12:57:54 +01:00
Christian Heimes
f330c59dd8 Add install/remove package helpers to advise
The smart card advise scripts assume that yum is installed. However
Fedora has dnf and the yum wrapper is not installed by default.
Installation and removal of packages is now provided by two helper
methods that detect the package manager.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 13:46:52 +01:00
Christian Heimes
0a2222ea26 Smart card auth advise: Allow Apache user
Modify the smard card auth advise script to use sssd_enable_ifp() in
order to allow Apache to access SSSD IFP.

See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 13:46:52 +01:00
Christian Heimes
4de97f496d Replace hard-coded interpreter with sys.executable
Instead of hard-coding python3, the smart card advise script now uses
the current executable path from sys.executable as interpreter.

Fixes: https://pagure.io/freeipa/issue/7741
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-24 17:44:20 +02:00
Petr Vobornik
0e22314c9b ipa-advise: update url of cacerdir_rehash tool
On legacy systems which don't have cacerdir_rehash tool (provided by authconfig)
the generated advise script downloads this tool from project page and uses it.

After decommision of Fedorahosted and move of authconfig project to Pagure,
this url was not updated in FreeIPA project.

This patch updates the url.

https://pagure.io/freeipa/issue/7731

Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-23 10:23:16 +02:00
Christian Heimes
4a58adf79e Sprinkle raw strings across the code base
tox / pytest is complaining about lots and lots of invalid escape
sequences in our code base. Sprinkle raw strings or backslash escapes
across the code base to fix most occurences of:

  DeprecationWarning: invalid escape sequence

There is still one warning that keeps repeating, though:

  source:264: DeprecationWarning: invalid escape sequence \d

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 10:23:03 +02:00
Florence Blanc-Renaud
7729bb73b4 ipa-advise: configure pam_cert_auth=True for smart card on client
ipa-advise config-client-for-smart-card-auth is now using authselect
instead of authconfig, but authselect enable-feature with-smartcard
does not set pam_cert_auth=True in /etc/sssd/sssd.conf.
As a result, smart card auth on a client fails.
The fix adds a step in ipa-advise to configure pam_cert_auth=True.

The fix also forces the use of python3 interpreter, and handles
newer versions of SSSD which use OpenSSL instead of NSS (the trusted
CA certs must be put into /etc/sssd/pki/sssd_auth_ca_db.pem

Fixes https://pagure.io/freeipa/issue/7532

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-09-19 10:13:15 +02:00
Rob Crittenden
c6b3cf6dd7 Advise plugin for enabling sudo for members of the admins group
Create HBAC and a sudo rule for allowing members of the admins
group to run sudo on all enrolled hosts.

https://pagure.io/freeipa/issue/7538

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-12 10:43:06 -04:00
amitkumar50
d4f2f53eb2 ipa-advise: remove plugin config-fedora-authconfig
ipa-advise config-fedora-authconfig produces a script with authconfig
instructions for configuring Fedora 18/19 client with IPA server
without use of SSSD. Fedora 18 and 19 are not supported any more,
so the plugin could be removed.

Resolves: https://pagure.io/freeipa/issue/7533
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-05-21 14:32:38 -04:00
Florence Blanc-Renaud
8fe5f8d2e7 ipa-advise: adapt config-client-for-smart-card-auth to authselect
ipa-advise config-client-for-smart-card-auth was producing a shell script
calling authconfig.
With the migration from authconfig to authselect, the script needs to
be updated and call authselect enable-feature with-smartcard instead.

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-27 14:01:33 +02:00
Florence Blanc-Renaud
2d5245cebc ipa-advise config-server-for-smart-card-auth: use mod-ssl
ipa-advise config-server-for-smart-card-auth produces a script that
was still using /etc/httpd/conf.d/nss.conf instead of
/etc/httpd/conf.d/ssl.conf for setting the Apache SSLOCSPEnable Directive.

The fix replaces references to nss.conf with ssl.conf.

https://pagure.io/freeipa/issue/7515

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-26 08:31:08 +02:00
Stanislav Laznicka
b5bdd07bc5
Add absolute_import future imports
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-20 09:43:37 +02:00
Rob Crittenden
fa135e6ef1
Update smart_card_auth advise script for mod_ssl
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
amitkuma
6c81a2cb50 ipa-advise for smartcards updated
......
authconfig --enablesmartcard --smartcardmodule=sssd --updateall

Advise is updated to:
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd
--smartcardaction=1 --updateall

Resolves: https://pagure.io/freeipa/issue/7358
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-07 12:56:41 +01:00
Martin Babinsky
53c5c0ad7b smart-card-advises: ensure that krb5-pkinit is installed on client
This library is a prerequisite for successful Smart Card authentication
on the client. The client-side advise should make sure this dependency
is present.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
e0cf7090f3 smart card advise: use password when changing trust flags on HTTP cert
This is to prevent NSS asking for database password when operating in
FIPS 140 mode.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
4d57aef7a5 smart card advises: use a wrapper around Bash for loops
Replace the raw `command` calls constructing the for loops in some
methods by a wrapper hiding this detail.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
a9fec090f7 Use the compound statement formatting API for configuring PKINIT
Use `if_branch` and `else_branch` context managers instead of raw
`command` calls in the method that generates Bash snippet that
configures PKINIT on the master.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
85a79b5ccd Fix indentation of statements in Smart card advises
https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
0181334c4c delegate the indentation handling in advises to dedicated class
Indentation levels are now handled transparently by a dedicated class
and should not pollute the statement printing logic.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
e0c2e0f26c Allow to pass in multiple CA cert paths to the smart card advises
If the user has a series of CA certificates required to verify smart
card certs (e.g. intermediary CAs and root CA) it is convenient to allow
for passing them to the advise scripts as a series of PEM files.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
584abe5b68 smart-card advises: add steps to store smart card signing CA cert
On master, upload the CA certificate to IPA LDAP and NSS databases. On
both master and client run ipa-certupdate to update client-side CA
certificate bundles used as PKINIT anchors.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
69ba5f9422 smart-card advises: configure systemwide NSS DB also on master
Previously the Smart card signing CA cert was uploaded to systemwide NSS
DB only on the client, but it need to be added also to the server.
Modify the advise plugins to allow for common configuration steps to
occur in both cases.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
e418e9a4ca Prepare advise plugin for smart card auth configuration
The plugin contains recipes for configuring Smart Card authentication
on FreeIPA server and enrolled client.

https://www.freeipa.org/page/V4/Smartcard_authentication_ipa-advise_recipes
https://pagure.io/freeipa/issue/6982

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-14 12:24:20 +02:00
Jan Cholasta
d6b755e3fc ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR
SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform.

Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove
both SHARE_DIR and PLUGIN_SHARE_DIR.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Petr Vobornik
02d3ea1062 advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins
authconfig in config_redhat_nss_ldap and config_redhat_nss_pam_ldapd got
new option --enableldaptls

It should have effect primarily on el5 systems.

https://fedorahosted.org/freeipa/ticket/5654

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-03-01 13:05:20 +01:00
Gabe
5c9b9089b7 Migrate wget references and usage to curl
https://fedorahosted.org/freeipa/ticket/5458

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-12-11 18:46:10 +01:00
Jan Cholasta
2625efa727 advise: Add separate API object for ipa-advise
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-03-05 11:01:36 +01:00
Tomas Babej
00c0878b90 ipatests: Use command -v instead of which in legacy client advice
Part of: https://fedorahosted.org/freeipa/ticket/3833
2013-11-01 15:39:52 +01:00
Tomas Babej
57ccee4eae advice: Add legacy client configuration script using nss-ldap
Part of: https://fedorahosted.org/freeipa/ticket/3833
2013-10-31 09:22:34 +01:00
Ana Krivokapic
92cd987e0a Add ipa-advise plugins for nss-pam-ldapd legacy clients
Add three new ipa-advise plugins, to facilitate configuration of
legacy clients using nss-pam-ldapd:

* config-redhat-nss-pam-ldapd
* config-generic-linux-nss-pam-ldapd
* config-freebsd-nss-pam-ldapd

https://fedorahosted.org/freeipa/ticket/3672
2013-10-18 16:15:12 +02:00
Ana Krivokapic
fc3f3c90b9 Add ipa-advise plugins for legacy clients
Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.

Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:

* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
  systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms

https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
2013-08-07 09:18:42 +02:00
Tomas Babej
c81849712f Provide ipa-advise tool
Provides a pluggable framework for generating configuration
scriptlets and instructions for various machine setups and use
cases.

Creates a new ipa-advise command, available to root user
on the IPA server.

Also provides an example configuration plugin,
config-fedora-authconfig.

https://fedorahosted.org/freeipa/ticket/3670
2013-07-17 13:49:59 +02:00